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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )E3 Responsive to communication(s) filed on 28 September 2001 . 
2a)D This action is FINAL. 2b)!S This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) M Claim(s) 1-51 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) £3 Claim(s) 1-51 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) 13 The drawing(s) filed on 28 September 2001 is/are: a)E3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1 ) S Notice of References Cited (PTO-892) 4) D Interview Summary (PTO-413) 

2) D Notice of Draflsperson's Patent Drawing Review (PTO-948) Paper No(s)/Matl Date. . 

3) IS Information Disclosure Statement(s) (PTO-1449 or PTO/SB/08) 5 ) D Notice of Informal Patent Application (PTO-152) 

Paper No(s)/Mail Date see attached . 6) CD Other: . 
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DETAILED ACTION 

Information Disclosure Statement 

1 . The information disclosure statement (IDS) submitted is in compliance with the 
provisions of 37 CFR 1 .97. Accordingly, the examiner is considering the information 
disclosure statement. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

3. Claims 1-51 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Jacobson, U.S. Patent 6,735,701 . 

As per claim 1 , it is disclosed by Jacobson of a method for managing a security 
policy for users in a network. A policy management program is run on a computer in 
communication with the network for enabling creation of a security policy document 
using the policy management program. Users on the network are enabled to view the 
security policy document and receiving electronic data relevant to user viewing of the 
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security policy document using the policy management program (col. 2, lines 3-18 and 
col. 10, line 57 through col. 11, line 3). 

As per claims 2 and 31 , Jacobson discloses of verifying a degree of user 
compliance with the security policy by using the policy management program to assess 
the received data (col. 11, lines 3-9). 

As per claim 3, Jacobson discloses of the received data includes a timestamp 
denoting the time a user acknowledges viewing of the security policy document (col. 20, 
lines 39-55). 

As per claims 4 and 32, it is taught by Jacobson of the received data includes 
quiz results Indicative of the user comprehension of the viewed security policy 
document (col. 5, lines 37-40 and col. 6, lines 48-60). 

As per claims 5 and 33, the teachings of Jacobson disclose of enabling the 
creation of the security policy document comprises enabling selection of security 
policies from a set of options (col. 6, lines 47-57). 

As per claims 6,12, and 34, Jacobson discloses of selecting the security policies 
selected a set of options reside in a library in communication with the policy 
management program (col. 20, lines 24-26). 

As per claim 7, it is taught by Jacobson of enabling the users on the network to 
view the security policy document comprises enabling pre-selection of a group of users 
to view the security policy document (col. 5, lines 51-65). 
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As per claims 8 and 36, Jacobson discloses of comprising electronically 
providing a quiz to assess user comprehension of the viewed security policy document 
(col. 5, lines 37-40 and col. 6, lines 48-60). 

As per claim 9, Jacobson teaches of enabling the creation of the security policy 
document further comprises enabling creation of a quiz associated with the security 
policy document (col. 5, lines 37-40 and col. 6, lines 48-60). 

As per claim 10, it is disclosed by Jacobson of receiving data includes user 
responses to the quiz (col. 5, lines 37-40 and col. 6, lines 48-60). 

As per claim 1 1 , Jacobson teaches of a method for managing a security policy 
for computers in a network. A software program is run on a second computer in 
communication with the network that enables the creation of a security policy document 
using the software program by enabling selection of security policies from a set of 
options. Automatically configuring the security policy document to provide technical 
controls for implementing the security policy on at a first computer (col. 2, lines 3-18; 
col. 10, line 57 through col. 11, line 3; and col. 6, lines 47-57). 

As per claims 13 and 46, Jacobson discloses that the computers operate in 
accordance with different operating systems (col. 1, lines 60-63 and col. 5, lines 2-7). 

As per claims 14 and 47, it is taught by Jacobson that the technical controls 
comprise a format interpretable by at least one first computer (col. 1 , lines 60-63 and 
col. 5, lines 2-7). 

As per claims 15 and 48, Jacobson discloses that the security policy document is 
represented by a markup language (col. 5, lines 2-7). 
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As per claims 16 and 49, Jacobson teaches of distributing detect rules to a first 
computer (col. 8, lines 7-1 0). 

As per claims 17 and 50, it is disclosed by Jacobson of electronically notifying an 
administrator when at least one first computer is out of compliance (col. 18, lines 52-54). 

As per claim 1 8, Jacobson discloses of distributing technical controls to at least 
one first computer (col. 2, lines 14-19). 

As per claim 19, it is taught by Jacobson of running a second software program 
on the first computer to allow at least one first computer to interpret the distributed 
technical controls (col. 2, lines 14-19). 

As per claims 20 and 40, Jacobson discloses of a second software program uses 
metacommands to convert the technical controls into instructions interpretable by an 
operating system running on the first computer (col. 1, lines 60-63 and col. 5, lines 2-7). 

As per claims 21 and 41, Jacobson teaches of receiving data relevant to 
compliance of the first computer with the one or more technical controls using the 
software program (col. 2, lines 14-19). 

As per claims 22 and 42, it is disclosed by Jacobson of further comprising 
assessing the received data using a third software program (col. 2, lines 14-19). 

As per claims 23 and 43, it is taught by Jacobson that the third software program 
comprises a security management program (col. 2, lines 14-19). 

As per claims 24 and 44, jacobson discloses of verifying a degree of compliance 
of the first computer with the one or more technical controls by using the software 
program to assess the received data (col. 5, lines 37-40 and col. 8, lines 48-60). 
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As per claims 25 and 45, Jacobson teaches that the received data comprises 
compliance score data (col. 5, lines 37-40 and col. 8, lines 48-60). 

As per claim 26, Jacobson discloses of a method for managing a security policy 
for users and computers in a network. A software program is run on a second computer 
in communication with the network. A security policy document is created using the 
software program and automatically configuring the security policy document to create 
human-readable security policy document and a machine-readable security policy 
document containing technical controls readable by the first computer (col. 2, lines 3-18; 
col. 10, line 57 through col. 1 1 , line 3; and col. 6, lines 47-57). 

As per claim 27, it is taught by Jacobson of allowing the users to view the 
human-readable security policy document via the network (col. 5, lines 51-65). 

As per claim 28, Jacobson discloses of allowing the users to view the human- 
readable security policy document comprises pre-selecting a group of users to view the 
security policy document (col. 5, lines 51-65). 

As per claim 29, Jacobson teaches of electronically receiving data relevant to 
user viewing of the security policy document (col. 5, lines 37-40 and col. 6, lines 48-60). 

As per claim 30, Jacobson discloses that the received data includes a timestamp 
denoting the time a user acknowledged viewing the security policy (col. 20, lines 39-55). 

As per claim 35, it is taught by Jacobson that the human-readable security policy 
document includes a quiz to test user comprehension of the security policy document 
(col. 5, lines 37-40 and col. 6, lines 48-60). 
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As per claim 38, Jacobson discloses of distributing the machine-readable 
security policy document to at least one first computer to implement the security 
technical controls thereon (col. 1, lines 60-63 and col. 5, lines 2-7). 

As per claim 39, it is taught by Jacobson of running a second software program 
on the first computer to allow at least one first computer to interpret the distributed 
technical controls (col. 2, lines 14-19). 

As per claim 51 , Jacobson discloses of a system for managing a security policy 
for users and computers in a network. A first device containing a first program for 
creating a security policy document in both human-readable and machine-readable 
formats. A second device in communication with the first device and containing a 
second program for monitoring the security compliance of the first computer, wherein at 
least one first computer contains a third program for receiving the machine-readable 
format of the security policy document (col. 2, lines 3-18; col. 10, line 57 through col. 11, 
line 3; and col. 6, lines 47-57). 

Conclusion 

4. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christopher A. Revak whose telephone number is 571- 
272-3794. The examiner can normally be reached on Monday-Friday, 6:30am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Christopher Revak 
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